CFO Changing the CFO Mindset on Cybersecurity

Similar documents
Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Managing cyber risks with insurance

Security for Financial Services: Addressing the Perception Gaps in a Dynamic Landscape

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

THE CYBER SECURITY PLAYBOOK WHAT EVERY BOARD OF DIRECTORS SHOULD KNOW BEFORE, DURING, AND AFTER AN ATTACK SECURITY REIMAGINED

A COMPLETE APPROACH TO SECURITY

Cybersecurity and internal audit. August 15, 2014

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

CyberArk Privileged Threat Analytics. Solution Brief

I D C A N A L Y S T C O N N E C T I O N

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Building a Business Case:

The Fortinet Advanced Threat Protection Framework

The Protection Mission a constant endeavor

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Cybersecurity: Mission integration to protect your assets

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Getting real about cyber threats: where are you headed?

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Security Intelligence

How Boards of Directors Really Feel About Cyber Security Reports. Based on an Osterman Research survey

Utilizing Security Ratings for Enterprise IT Risk Mitigation Date: June 2014 Author: Jon Oltsik, Senior Principal Analyst

CYBER SECURITY, A GROWING CIO PRIORITY

The Cost of Phishing. Understanding the True Cost Dynamics Behind Phishing Attacks A CYVEILLANCE WHITE PAPER MAY 2015

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

CGI Cyber Risk Advisory and Management Services for Insurers

October 24, Mitigating Legal and Business Risks of Cyber Breaches

GUIDE TO IMPROVING INFORMATION SECURITY IDENTIFYING WEAKNESSES & STRENGTHENING SECURITY

Advanced Threats: The New World Order

Protecting against cyber threats and security breaches

The Future of the Advanced SOC

Cyber Threat Intelligence and Incident Coordination Center (C 3 ) Protecting the Healthcare Industry from Cyber Attacks

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

How To Create An Insight Analysis For Cyber Security

Requirements When Considering a Next- Generation Firewall

Managing the Unpredictable Human Element of Cybersecurity

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Information Security Threats and Strategies. Ted Ericson Product Marketing - ASI

Don t Get Left in the Dust: How to Evolve from CISO to CIRO

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

DENIAL OF SERVICE: HOW BUSINESSES EVALUATE THE THREAT OF DDOS ATTACKS IT SECURITY RISKS SPECIAL REPORT SERIES

2012 Endpoint Security Best Practices Survey

EnCase Analytics Product Overview

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Overcoming Five Critical Cybersecurity Gaps

WRITTEN TESTIMONY OF

Defensible Strategy To. Cyber Incident Response

Who s next after TalkTalk?

Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age

CYBER SECURITY GUIDANCE

WHITE PAPER. Managed Security. Five Reasons to Adopt a Managed Security Service

New York State Department of Financial Services. Report on Cyber Security in the Banking Sector

A Wake-Up Call? Fight Back Against Cybercrime. Prepared for: Ricky Link Managing Director, Southwest Region May 15, 2014

Think STRENGTH. Think Chubb. Cyber Insurance. Andrew Taylor. Asia Pacific Zone Product Manager Chubb Pro PI, Media, Cyber

Defending yesterday. Financial Services. Key findings from The Global State of Information Security Survey 2014

Gaining the upper hand in today s cyber security battle

Cyber Liability Insurance

Defense Security Service

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

Cybersecurity: Protecting Your Business. March 11, 2015

Connecting the dots: A proactive approach to cybersecurity oversight in the boardroom. kpmg.bm

Advanced Threat Protection with Dell SecureWorks Security Services

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Vulnerability Management

Cyber Security Management

CYBER SECURITY SPECIALREPORT

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Testimony of Dan Nutkis CEO of HITRUST Alliance. Before the Oversight and Government Reform Committee, Subcommittee on Information Technology

Things To Do After You ve Been Hacked

THE HUMAN FACTOR AT THE CORE OF FEDERAL CYBERSECURITY

Dealer Member Cyber-security

A HELPING HAND TO PROTECT YOUR REPUTATION

Cyber Security: Confronting the Threat

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

NETWORK SECURITY FOR SMALL AND MID-SIZE BUSINESSES

Transcription:

CFO Changing the CFO Mindset on Cybersecurity What CFOs don t know can hurt their bottom line

Despite increasing cybersecurity involvement, too many CFOs still lack the cyber-savvy necessary to get ahead of threats. Here s why. Cybersecurity, poorly managed, is a material financial risk, affecting a company s ability to succeed or survive. A data breach can negatively impact corporate results, corporate reputation, customer relationships, and the growth trajectory of even the most successful company. The cyber-risk landscape is ever expanding, with a growing volume and variety of attacks coming from outside the enterprise, as well as increasing sophistication of malicious employees on the inside. Unfortunately, all businesses connected to the digital world are under threat, whether they have discovered it or not. The CFO s Role To gain a much deeper understanding of CFOs thinking about cybersecurity, and the roles they play in managing it, CFO Research recently surveyed 128 senior finance executives. The survey findings show that most CFOs understand that they need to play an active role in cybersecurity management, but many lack a complete understanding of the threats they face and the tools they might use to manage those threats. The CFO s role is to protect the bottom line and ensure the viability of the enterprise. The survey found that, because of the risk to corporate performance that data breaches represent, CFOs and senior finance executives are taking an increasingly active role in managing cybersecurity. Four in ten (42%) finance chiefs surveyed say they are the owner or a co-owner of cybersecurity at their companies. A recent Grant Thornton study echoes this data point, finding that 38% of CFOs are responsible for their firms cybersecurity. Changing the CFO Mindset on Cybersecurity 21

And two-thirds (66%) of our survey respondents say they are comfortable understanding/discussing information security (e.g., risks, technology) and translating this information for their Board. This level of CFO involvement in cybersecurity management validates a recent survey by the Ponemon Institute, which found that 79% of C-level U.S. and U.K. executives say executive-level involvement is necessary to achieve effective incident response in the event of a data breach. The CFO has a seat at the cybersecurity table, but do these cyber-savvy finance stakeholders have the insight needed to significantly and positively impact their organization s cyber-risk program? Disconnect: Awareness More than one-third (37%) of the senior finance executives surveyed say they have not had a data breach in the last 12 months. A 2014 Grant Thornton survey of finance executives found that an amazing 74% of respondents said their company has not experienced a data breach. These data points appear to represent an overly optimistic sense of security among both surveys respondents. The 2013 Data Breach Investigations Report (DBIR) noted that more than six in ten (62%) security incidents took months to discover, and 4% of security incidents took a year or more to discover. The fact that the CFO is not aware of a data breach does not mean it hasn t happened. In fact, CFOs might consider the very real possibility that ALL companies have suffered a data breach in the last 12 months i.e, at the very least a network intrusion. In many cases, networks are compromised and the attackers simply lay in wait for years. FIGURE 1 Where is most of your cybersecurity budget spent? Prevention 65% Detection 13% Incident Response 6% Other 4% Not Sure 11% (Percentage of respondents) Changing the CFO Mindset on Cybersecurity 32

Disconnect: Focus Most survey respondents are comfortable with their organization s cybersecurity posture, with two-thirds (67%) reporting that they are comfortable that their organization s cybersecurity budget is being spent effectively. But there s a problem. While 65% of respondents say that their cybersecurity budget is spent on prevention (see Figure 1), a full 61% say unknown threats are their greatest concern. These two data points reflect a clear disconnect. That s because unknown threats are not addressed by traditional prevention tools. In general, preventative technologies rely on signature-based detection, leveraging the fact that the attack methods and malware have been used before and have been identified by the cybersecurity community. Unfortunately, attackers monitor this information as well, so once their code and methodology has been discovered, it is altered. Enterprises that focus primarily on prevention (rather than detection or response) increase the risk of missing unknown threats, such as attacks using weak or stolen login credentials and advanced attacks that do not involve malware. To illustrate how common those hard-to-see threats are, almost 80% of network intrusions involve weak or stolen login credentials. For these reasons, focusing on prevention is not the most effective way to spend your time or money. Disconnect: Response Planning Experts also cite the critical importance of having an incident response plan with clearly defined roles and processes. Such a plan should involve more than just the basics of detection, containment, investigation, remediation and recovery. It should also include steps aimed at minimizing legal liability, reputational impact, and employee morale. Changing the CFO Mindset on Cybersecurity 43

Unfortunately, the Grant Thornton study showed that a small percentage are focused on incident readiness, with only 4% reporting that they have created an incident response plan. Despite the lack of uptake, a defensible and well-defined incident response process is the single most important component of an information security program. As we noted at the beginning, no matter how good your preventative technologies are, a sophisticated (or lucky) attacker is going to get in sooner or later. Still, only 53% of senior finance executives we surveyed say their company has a formal incident response process. And only 23% of finance chiefs have a formal role in incident response. With so much at stake, the CFO should play a formal role in the process. Disconnect: Damage Assessment Figure 2 shows where finance executives expect the largest financial impact to come from in the event of a data breach. Nearly half (49%) of respondents say the largest financial loss would be from impacted business operations. This includes the downtime of critical systems and other operational interruptions resulting from breach investigation and remediation processes. Survey respondents seemed to downplay the financial impact of customer loss (13%), but again these executives seem to be underrepresenting a significant risk. Consumers concerns about the security of their personal data following a breach have severely and lastingly damaged many businesses. While impact from disrupted business operations are easier to quantify in the short term, the long tail of disrupted customer relationships can last far into the future. In the Ponemon 2015 Cost of Data Breach Study, lost business defined as abnormal turnover of customers, increased customer acquisition activities, reputation losses, and diminished goodwill, represents the greatest financial impact. Furthermore that cost is increasing year over year. FIGURE 2 Where would you expect the largest financial impact to come from in the event of a cybersecurity breach of your organization? Impacted Business Operations 49% Service Provider Response and Remediation Costs Legal Costs 16% 18% Customer Loss 13% Other 2% Not Sure 3% (Percentage of respondents) Changing the CFO Mindset on Cybersecurity 54

With all the determined efforts that companies make to acquire and retain customers, it makes sense for the CFO to ensure that the company has a holistic response plan that extends beyond information security activities to mitigate the risk of lost business in the event of a data breach. Making the Connection There is no silver bullet to prevent a cyber attack. The most your firm can do is be a fast-moving target that stands ready to respond. As a CFO, what you can do is understand the stakes of this conflict, take an active role in its management, and if needed seek counsel to augment your advanced threat detection and security analytics tools with equally advanced human analysis and judgment. More and more companies, particularly midsize firms with high threat profiles, are turning to specialized Managed Security Services Providers (MSSPs) that employ a more holistic, context-driven methodology to deliver security monitoring. The best of these providers layer human intelligence and human analysis on top of their monitoring in a practical and scalable way. They are able to bring all your executive stakeholders to the table to design and implement a forward-leaning incident response plan and security awareness program. It s the best a CFO can do. Good luck. Changing the CFO Mindset on Cybersecurity 65

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information